cycbot | b0092c991823f7b85f494a276b890805ded941ec04557140810a27a791f07a30

General

Target

957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe
Size

164KB
MD5

957c58f44ae8a07021e5ad4423393905
SHA1

4c64f1511da8c8755ff3fa28cdbebbb99a7a17a9
SHA256

b0092c991823f7b85f494a276b890805ded941ec04557140810a27a791f07a30
SHA512

715dd76b8cc5a4500f2e0f5c154319e432d7c396f49060d4ef9b13a95b733bc801501beb89b74b0fdc4199f8f23fd8b2304ad7be27c74069351f5aa69ee76614
SSDEEP

3072:GmfJmOJHYuBuyWKfo1y+/Ihyt3hJWQ8V+yAsOezzEOYHq0aIcZtL:IONYuBuyIYtQgzOezRYHqM

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2380-8-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2592-19-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1524-91-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2592-193-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2592-198-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2592-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2380-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2380-8-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2592-19-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1524-89-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1524-91-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2592-193-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2592-198-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2380	2592	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe	30
PID 2592 wrote to memory of 2380	2592	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe	30
PID 2592 wrote to memory of 2380	2592	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe	30
PID 2592 wrote to memory of 2380	2592	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe	30
PID 2592 wrote to memory of 1524	2592	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe	32
PID 2592 wrote to memory of 1524	2592	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe	32
PID 2592 wrote to memory of 1524	2592	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe	32
PID 2592 wrote to memory of 1524	2592	957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\957c58f44ae8a07021e5ad4423393905_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8CF9.8DF

Filesize
597B

MD5
2d9c32d6b3b0528833aae4e888f86d8c

SHA1
162eb989827a0fdf26903123d85a3da8913f5c6c

SHA256
35484d8d8ea778a5b46f2bda6a6b289b8bf78d943b0c6b574c8b6727ecace8cd

SHA512
898c495ce037efbeba02a9c1419bb21db97cd10286c09380cb03f99278041b034b6bd073a62d313e50d4f5fc3b1b04f0eae91c38f72a0b788988230b64bbfab7

Download Submit
C:\Users\Admin\AppData\Roaming\8CF9.8DF

Filesize
1KB

MD5
9db82e0e31cde81165a3c97b6203dd51

SHA1
82f8b52cb45e2a2e9e0443bdca6d4a0f8ea96c60

SHA256
378cd0a4186a8f501bca85a60779790e4be0f4dc7d9a4c4e8e07e267fb04b0cf

SHA512
460694d3d9f64ea6f27e683ee2c69236f403aa86482d7b99df16008b5220ce17b0218a64a577c578148f1368026e1c637a2b2e86654262d7f1a17e02a8f0c07d

Download Submit
C:\Users\Admin\AppData\Roaming\8CF9.8DF

Filesize
897B

MD5
ce0d91e2977c7568fb05ef824f86e94e

SHA1
e0ef08e6af496ca698099e39ca073ad86ae3e25c

SHA256
6df36a8388c544b694d54fa2b6cdb13f6bf9110e82ddd9ca3c03de62a3c1d240

SHA512
389e42c20daa2eaf775cd2fa42b66c01859651fabad34610278cdb95df274184fe3c6b8125cad9925150868df6bd6a24a95507520e25c27fff82072fc086a626

Download Submit
memory/1524-89-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1524-91-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2380-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2380-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2380-8-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2592-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2592-19-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2592-193-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2592-198-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing